1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-25 01:34:28 +03:00

dissect: disallow empty partition tables

If we don't find a single useful partition table, refusing dissection.

(Except in systemd-dissect, when we are supposed to show DDI
information, in that case allow this to run and show general DDI
information, i.e. size, UUID and name at least)
This commit is contained in:
Lennart Poettering 2022-12-02 15:05:49 +01:00
parent dee4a6237a
commit 598fd4da1c
3 changed files with 13 additions and 1 deletions

View File

@ -501,7 +501,8 @@ static int parse_argv(int argc, char *argv[]) {
if (r < 0)
return r;
arg_flags |= DISSECT_IMAGE_READ_ONLY;
/* when dumping image info be even more liberal than otherwise, do not even require a single valid partition */
arg_flags |= DISSECT_IMAGE_READ_ONLY|DISSECT_IMAGE_ALLOW_EMPTY;
break;
case ACTION_MOUNT:

View File

@ -1485,6 +1485,8 @@ static int dissect_image(
}
}
bool any = false;
/* After we discovered all partitions let's see if the verity requirements match the policy. (Note:
* we don't check encryption requirements here, because we haven't probed the file system yet, hence
* don't know if this is encrypted or not) */
@ -1492,6 +1494,8 @@ static int dissect_image(
PartitionDesignator vi, si;
PartitionPolicyFlags found_flags;
any = any || m->partitions[di].found;
vi = partition_verity_of(di);
si = partition_verity_sig_of(di);
@ -1513,6 +1517,9 @@ static int dissect_image(
}
}
if (!any && !FLAGS_SET(flags, DISSECT_IMAGE_ALLOW_EMPTY))
return -ENOMSG;
r = dissected_image_probe_filesystems(m, fd, policy);
if (r < 0)
return r;
@ -1605,6 +1612,9 @@ static int dissect_log_error(int r, const char *name, const VeritySettings *veri
case -ERFKILL:
return log_error_errno(r, "%s: image does not match image policy.", name);
case -ENOMSG:
return log_error_errno(r, "%s: no suitable partitions found.", name);
default:
return log_error_errno(r, "Failed to dissect image '%s': %m", name);
}

View File

@ -80,6 +80,7 @@ typedef enum DissectImageFlags {
DISSECT_IMAGE_PIN_PARTITION_DEVICES = 1 << 21, /* Open dissected partitions and decrypted partitions and pin them by fd */
DISSECT_IMAGE_RELAX_SYSEXT_CHECK = 1 << 22, /* Don't insist that the extension-release file name matches the image name */
DISSECT_IMAGE_DISKSEQ_DEVNODE = 1 << 23, /* Prefer /dev/disk/by-diskseq/… device nodes */
DISSECT_IMAGE_ALLOW_EMPTY = 1 << 24, /* Allow that no usable partitions is present */
} DissectImageFlags;
struct DissectedImage {